See more like this on Google
Share article
Share article
A newly disclosed Android flaw put one of crypto's least glamorous risks back on the front page: mobile wallet security. Microsoft researchers say a vulnerability tied to the widely used EngageLab SDK left roughly 30 million crypto wallet users exposed to attack, with the broader Android app impact stretching far beyond crypto. The key point is simple: this was not a chain exploit, it was an app-layer problem, which is often where users actually get rekt. [1]
Enjoy articles without ads?
Register for free and get unlimited access to all articles.
What Microsoft found
Microsoft's security team traced the issue to an Android intent redirection vulnerability in the third-party EngageLab software development kit. That SDK is used by app makers for push notifications, analytics, and user engagement features. If integrated insecurely, it could let a malicious app on the same device intercept or redirect sensitive app traffic. [1]
For crypto wallets, that creates a nasty attack surface. An attacker may not need to break encryption or touch the blockchain at all. They just need a way to manipulate what happens inside the phone, potentially hijacking flows tied to wallet recovery, account access, or other sensitive actions. That is a much cheaper route for attackers than trying to brute-force keys.
Reports tied to Microsoft's findings suggest the vulnerable SDK was present across apps reaching around 50 million Android users, with roughly 30 million of those linked to crypto wallet apps. That does not mean 30 million wallets were drained. It means the exposure was large enough that the installed base mattered immediately. [2]
Why this matters for wallet users
The crypto industry likes to market self-custody as sovereign and trustless. Fair enough. But the user stack is still full of middlemen in code form, libraries, SDKs, APIs, notification tools. Every added component is another place where security assumptions can quietly break.
That is the real lesson here. Many wallet users think risk starts and ends with seed phrase storage. In practice, mobile wallets also depend on operating system behavior, deep linking, permissions, third-party integrations, and update hygiene. If one of those layers is weak, an attacker can target the wallet without ever touching the underlying chain.
Microsoft's findings also reinforce a broader pattern in mobile security: third-party SDKs can become systemic risk. One vendor gets embedded everywhere, one bug slips through, and suddenly millions of users share the same blast radius. It is efficient for developers, until it is not. [3]
What users and developers should do now
Wallet users on Android should update affected apps immediately and remove apps that no longer receive active maintenance. Installing software only from the Google Play Store helps, but it is not a magic shield if the legitimate app itself shipped vulnerable components. Hardware wallets remain the cleaner option for larger balances because they reduce dependency on a phone's software stack for signing.
Developers have a more direct to-do list. Audit third-party SDKs, minimize permissions, restrict inter-app communication, and treat deep-linking and intent handling as critical infrastructure, not side plumbing. Security teams should also review whether push notification and engagement tools really belong inside high-value financial apps in the first place.
The Bigger Picture
This story matters because it shows where the next wave of crypto attacks is likely to land. Not smart contracts, not consensus, just the boring mobile app supply chain. That is where scale lives, and attackers know it.
